Comments on: Cisco IOS Order of Operation – Updated, Again http://etherealmind.com/cisco-ios-order-of-operation/ Network design, architecture, thinking, working. Tech. Fri, 10 Feb 2012 18:43:00 +0000 hourly 1 http://wordpress.org/?v=3.3.1 By: pugalendi dhanapal http://etherealmind.com/cisco-ios-order-of-operation/#comment-1226 pugalendi dhanapal Wed, 14 Sep 2011 05:39:00 +0000 http://etherealmind.com/?p=1697#comment-1226 Good Info , Great Good Info , Great

]]> By: pugalendi dhanapal http://etherealmind.com/cisco-ios-order-of-operation/#comment-1227 pugalendi dhanapal Wed, 14 Sep 2011 05:39:00 +0000 http://etherealmind.com/?p=1697#comment-1227 Good , great info Good , great info

]]> By: roberto taccon http://etherealmind.com/cisco-ios-order-of-operation/#comment-1225 roberto taccon Fri, 16 Apr 2010 10:30:54 +0000 http://etherealmind.com/?p=1697#comment-1225 http://www.google.com/profiles/roberto.taccon#buzz CISCO IOS OOO (Order Of Operation) attached an updated diagram by Gregg Schudel the original diagram @ pag.120 Chapter 3: IP Network Traffic Plane Security Concepts on Router Security Strategies: Securing IP Network Traffic Planes http://www.ciscopress.com/bookstore/product.asp?isbn=1587053365 http://lh3.googleusercontent.com/_pYguWUnPyho/S8g3bZWvDCI/AAAAAAAAADo/zTqaSSgb1ZA/IOS-OOO.PNG http://www.google.com/profiles/roberto.taccon#buzz

CISCO IOS OOO (Order Of Operation)

attached an updated diagram by Gregg Schudel

the original diagram @ pag.120 Chapter 3: IP Network Traffic Plane Security Concepts on
Router Security Strategies: Securing IP Network Traffic Planes
http://www.ciscopress.com/bookstore/product.asp?isbn=1587053365

http://lh3.googleusercontent.com/_pYguWUnPyho/S8g3bZWvDCI/AAAAAAAAADo/zTqaSSgb1ZA/IOS-OOO.PNG

]]> By: CraigW http://etherealmind.com/cisco-ios-order-of-operation/#comment-1224 CraigW Wed, 09 Sep 2009 14:57:31 +0000 http://etherealmind.com/?p=1697#comment-1224 ZBF is tricky and I don't know the answer. As you say, zone pairs are determined after PBR/routing. It would seem that ZBF ingress/egress policies are probably only applied at egress (or egress to "self"), using a cached copy of the original pre-NAT packet. But that's just a guess. If you have the time and patience to go through a battery of tests, correlate ZBF behavior with NAT translations, ACL counters, and Netflow records, and you should get a good view of how it fits (please let me know). For "nat enable" (NVI), my OOO shows it taking place along with NAT inside-to-outside. I.e., WCCP should occur before "nat enable" ZBF is tricky and I don’t know the answer. As you say, zone pairs are determined after PBR/routing. It would seem that ZBF ingress/egress policies are probably only applied at egress (or egress to “self”), using a cached copy of the original pre-NAT packet. But that’s just a guess. If you have the time and patience to go through a battery of tests, correlate ZBF behavior with NAT translations, ACL counters, and Netflow records, and you should get a good view of how it fits (please let me know).

For “nat enable” (NVI), my OOO shows it taking place along with NAT inside-to-outside. I.e., WCCP should occur before “nat enable”

]]> By: Greg Ferro http://etherealmind.com/cisco-ios-order-of-operation/#comment-1223 Greg Ferro Wed, 09 Sep 2009 10:05:04 +0000 http://etherealmind.com/?p=1697#comment-1223 I suspect that this is why Cisco doesn't publish an absolute reference because the ACTUAL order varies from platform to platform, possibly different in code releases. Still, the above is a good guide until proven otherwise. I suspect that this is why Cisco doesn’t publish an absolute reference because the ACTUAL order varies from platform to platform, possibly different in code releases.

Still, the above is a good guide until proven otherwise.

]]> By: Greg Ferro http://etherealmind.com/cisco-ios-order-of-operation/#comment-1222 Greg Ferro Wed, 09 Sep 2009 10:03:55 +0000 http://etherealmind.com/?p=1697#comment-1222 I don't have any answers to your questions at the moment. While we could wish for Cisco to publish something definitive, this is probably as good as it gets for now. I don’t have any answers to your questions at the moment. While we could wish for Cisco to publish something definitive, this is probably as good as it gets for now.

]]> By: Greg Ferro http://etherealmind.com/cisco-ios-order-of-operation/#comment-1221 Greg Ferro Wed, 09 Sep 2009 10:02:28 +0000 http://etherealmind.com/?p=1697#comment-1221 Peirky Thanks for your info, I have updated the post to show the new information and made a copy of 6200networks information. While I like this list, it isn't 'official' so I tend to go with the Networkers version unless proven or needed. I could wish that Cisco would publish a recognised version other than the Nat Order of operations. Something definitive would be good. Peirky

Thanks for your info, I have updated the post to show the new information and made a copy of 6200networks information. While I like this list, it isn’t ‘official’ so I tend to go with the Networkers version unless proven or needed. I could wish that Cisco would publish a recognised version other than the Nat Order of operations. Something definitive would be good.

]]> By: Ivan Pepelnjak http://etherealmind.com/cisco-ios-order-of-operation/#comment-1220 Ivan Pepelnjak Tue, 08 Sep 2009 18:25:46 +0000 http://etherealmind.com/?p=1697#comment-1220 Well, as I've already (probably) commented to Joe's post, the outside-to-inside NAT is sometimes before the input ACL. See this post in my wiki: http://wiki.nil.com/NAT_caveats_in_IOS_release_12.4T#Packets_rejected_by_inbound_ACL_generate_NAT_translations Well, as I’ve already (probably) commented to Joe’s post, the outside-to-inside NAT is sometimes before the input ACL. See this post in my wiki:

http://wiki.nil.com/NAT_caveats_in_IOS_release_12.4T#Packets_rejected_by_inbound_ACL_generate_NAT_translations

]]> By: snetherland http://etherealmind.com/cisco-ios-order-of-operation/#comment-1219 snetherland Tue, 08 Sep 2009 17:00:18 +0000 http://etherealmind.com/?p=1697#comment-1219 Greg, Thanks so much for this. I can't tell you how often during the design and configure stage of a build I've had to scour the internet for an order of operations list. I am curious though where zone-based firewall and nat virutal-interfaces fit into this list. For instance, this specifically references when domain-based nat will be performed, but symmetric natting will first send a packet to the NVI and then route it again to the egress interface. Would this mean the nat decision would occur before the outbound WCCP redirect decision? And then with ZBFW your policies are not implemented until a packet crosses between zones. This, as best I can tell, would have to be after the routing decision unless you are using PBR. Would this mean, excluding packets destined to the Self zone, that the only time stateful packet inspection would occur is on the 9th order of the egress operation? Thanks again for this helpful reference. Greg,
Thanks so much for this. I can’t tell you how often during the design and configure stage of a build I’ve had to scour the internet for an order of operations list. I am curious though where zone-based firewall and nat virutal-interfaces fit into this list. For instance, this specifically references when domain-based nat will be performed, but symmetric natting will first send a packet to the NVI and then route it again to the egress interface. Would this mean the nat decision would occur before the outbound WCCP redirect decision? And then with ZBFW your policies are not implemented until a packet crosses between zones. This, as best I can tell, would have to be after the routing decision unless you are using PBR. Would this mean, excluding packets destined to the Self zone, that the only time stateful packet inspection would occur is on the 9th order of the egress operation?

Thanks again for this helpful reference.

]]> By: Pierky http://etherealmind.com/cisco-ios-order-of-operation/#comment-1218 Pierky Tue, 08 Sep 2009 16:53:09 +0000 http://etherealmind.com/?p=1697#comment-1218 Hi Greg, this is my first comment on your blog, so I would like to thank you for your good work! :) The table you posted from Cisco is at this URL: http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080133ddd.shtml At the end of the page we can find "Updated: Sep 30, 2008". There is another table too, on 6200networks.com by Joe Harris: http://6200networks.com/2008/09/30/ios-order-of-operation/ This list has more entries than your Net≠work≠ers table, for example it covers reverse crypto maps. This post also is dated September 30th, 2008! Who bids more? :) Hi Greg, this is my first comment on your blog, so I would like to thank you for your good work! :)

The table you posted from Cisco is at this URL: http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080133ddd.shtml

At the end of the page we can find “Updated: Sep 30, 2008″.

There is another table too, on 6200networks.com by Joe Harris: http://6200networks.com/2008/09/30/ios-order-of-operation/

This list has more entries than your Net≠work≠ers table, for example it covers reverse crypto maps.
This post also is dated September 30th, 2008!

Who bids more? :)

]]> By: Greg Ferro http://etherealmind.com/cisco-ios-order-of-operation/#comment-1217 Greg Ferro Tue, 08 Sep 2009 16:05:05 +0000 http://etherealmind.com/?p=1697#comment-1217 "Router Security Securing IP Control Planes BRKSEC-2105" - This was from Cisco Networkers 2009 in Barcelona. “Router Security Securing IP Control Planes BRKSEC-2105″ – This was from Cisco Networkers 2009 in Barcelona.

]]> By: Greg Ferro http://etherealmind.com/cisco-ios-order-of-operation/#comment-1216 Greg Ferro Tue, 08 Sep 2009 16:02:38 +0000 http://etherealmind.com/?p=1697#comment-1216 Matt, I fixed the image and you should be able to get a larger image now. Matt,

I fixed the image and you should be able to get a larger image now.

]]> By: Matt http://etherealmind.com/cisco-ios-order-of-operation/#comment-1215 Matt Tue, 08 Sep 2009 14:42:07 +0000 http://etherealmind.com/?p=1697#comment-1215 Can you please share what session you got that diagram from? Can you please share what session you got that diagram from?

]]> By: Matt Johnson http://etherealmind.com/cisco-ios-order-of-operation/#comment-1214 Matt Johnson Tue, 08 Sep 2009 14:09:13 +0000 http://etherealmind.com/?p=1697#comment-1214 A larger version of that image would be great! A larger version of that image would be great!

]]>